Professional Documents
Culture Documents
143-151 MobPhoneAutenticationToken tcm26-36823
143-151 MobPhoneAutenticationToken tcm26-36823
This paper provides a study of the various ways the mobile phone can be used as an authentication
token towards service providers on the Internet. It starts by discussing the need for a strong
authentication scheme and the motivation for using the mobile phone to improve on several aspects
of the current authentication processes. Then, the general architecture for authentication with mobile
phones is presented. Several different authentication solutions using the mobile phone as authentica-
tion token are then described, where the solutions vary in complexity, strength and user-friendliness.
Ivar Jørstad is The paper ends with an evaluation of the different solutions, and a discussion of the most probable
CEO of
attacks. A classification of the solutions is also provided, according to defined criteria.
Ubisafe AS
• It is common to write down username/password In addition, some such solutions can provide mobile
where others can easily find them. network operators with new sources of revenue since
they control much of the required infrastructure.
Due to these weaknesses of the username/password
scheme, other solutions must be used. For services This paper starts with a discussion of authentication
with particularly high security requirements, One- strength and discusses the concept of multi-channel
Time-Passwords (OTP) [1] or Smart Card solutions authentication as a mechanism for stronger authenti-
have been taken into use, e.g. for Internet-banking cation. Then some different authentication schemes
services or corporate service access. These more using the mobile phone as an authentication token
secure solutions usually increase the cost of the will be described. An evaluation of the different
security solutions both in the deployment phase schemes will then be performed according to specific
(provide all users with OTP-calculators or Smart criteria.
Cards w/readers) but also in the maintenance phase
(defective OTP-calculators, lost Smart Cards, invali-
dation of users etc.). 2 Strong Authentication
3 The Different Mobile Phone This closed loop can be realized in several ways as
Authentication Schemes described in the solutions presented below.
To be able to authenticate users through a mobile
phone, certain main components must be in place. 3.2 SMS Authentication
Figure 1 shows the main components and the basic with Session-ID Check
architecture needed for the solutions described later This solution exploits that a user with a valid mobile
to work. subscription is already authenticated through the
GSM system. Session IDs are used to ensure that it
The user must have access to a computer connected is the same user that controls both the computer and
to the Internet and be in possession of a mobile phone the mobile phone.
Request/access
Request/identity
Response/identity
Request/authentication (identity)
Session ID
Session ID
Confirmation
Response/authentication (identity)
Access granted
mobile phone number and the request is redirected to [3]. When the AS receives the confirmation it notifies
the authentication server. The authentication server the authenticator that the user is authenticated and
then creates a unique session ID and sends this to the redirects the browser back to the SP. The message
user by SMS and over the Internet to the computer. exchange is shown in Figure 3.
The user checks that the session ID in the SMS is the
same as the one shown in the browser. If this is the 3.3 One-Time-Password from PC to SMS
case the user replies by sending an SMS back to the The next two solutions make use of the OTP principle
AS confirming that the session IDs match. When [4] for authentication. The solutions describe differ-
receiving the confirmation the authentication server ent ways to securely use the mobile phone as an OTP
redirects the browser back to the service provider and token.
the user is given access to the service. The message
exchange is shown in Figure 2. The authentication procedure for the OTP from PC
to SMS solution is shown in Figure 4. When the
3.2.2 Automatic Check of Session ID client wants to access the SP the client’s identity is
To make it even easier for the user the session ID can requested. The client responds by typing his user-
be checked automatically. This can be done by pair- name in the browser. The message is relayed to the
ing the mobile phone and the computer by Bluetooth. AS which handles the authentication. Upon receiving
Access
Request/identity
Response/identity
Challenge
Challenge
OTP
OTP
Authentication successful
Access granted
the client’s identity the AS generates a challenge, typ- on the phone which can communicate with the SIM
ically a random number based on the client’s profile, card through SATSA-APDU [5] as shown in Figure
and a corresponding OTP. Then the AS sends the 5. The user is prompted for the challenge and enters
challenge to the client. The client enters the challenge it on the phone. The MIDlet transfers the challenge
on the mobile phone. The OTP applet on the SIM to the OTP applet which responds with an OTP. The
card generates an OTP from the challenge. The OTP user creates an SMS containing the OTP and sends it
is then sent to the AS by SMS. The AS compares the to the AS.
calculated and received OTP and notifies the authen-
ticator that the client is authenticated. The browser is 3.3.2 Automatic Variant
redirected back to the SP and the user is successfully If the mobile phone and computer are connected
logged in. through Bluetooth the challenge can be sent to the
phone automatically. To realize this, a Java applet
3.3.1 Manual Variant will run in the browser and communicates with the
When the client receives the challenge from the AS it Java MIDlet on the mobile phone. The MIDlet on the
is displayed in the browser. The user starts a MIDlet phone also has to be expanded so that it can create
and send an SMS with the OTP to the AS. This can
be done by the Wireless Message API[6].
MIDIet Java ME SIM
When the user wants to log in using the automatic
Connect solution the first thing to be done is to pair the mobile
Manage channel phone and the computer. If this is the first time these
two devices are paired a pass-phrase must be entered
on both devices. When the pairing is done the user
Select applet can choose to log in with the automatic solution and
Connection confirmed after providing an identity the rest of the procedure
will go automatically.
OTP applet
EAP-request identity
Get IMSI
IMSI
EAP-response - identity (based on IMSI)
EAP-request/SIM/start
Message 1
EAP-success
The supplicant receives the response from the SIM performed between the SIM card and the AAA server
and sends them to the authenticator in EAP format. by exchanging SMS messages. If the authentication
The authenticator relays the response to the AAA is successful, the SP is notified that the user with the
server that verifies that the MAC2 is correct. If corresponding session ID is authenticated, and the
MAC2 is correct the authentication is successful and user is provided access to the protected resources.
the user is logged in. The EAP-SIM authentication is
shown in Figure 7. To enable the phone to perform EAP authentication
over SMS an applet on the SIM card must be
3.5.1 SMS Variant installed. The applet generates the session ID to be
This solution is a variant that does not require a Blue- entered in the browser. Thereafter, the SIM applet
tooth enabled mobile phone. Instead the EAP-SIM performs authentication towards GSM using SMS
protocol will run over SMS. messages which encapsulate the EAP-SIM protocol.
This solution is similar to the previous, however it
The user chooses to log in using the EAP over SMS does not require the Bluetooth connection between
solution. When this is done, a web page is presented the mobile phone and the user’s PC since it instead
asking for a session ID. An authentication applet on uses SMS to close the authentication loop. SAP is
the SIM card is started by the AS through SAT and used to control the SIM card and mobile phone dur-
the user is asked to confirm that he wants to start the ing authentication.
authentication. A session ID is displayed on the
mobile phone screen and the user enters the session The implementation can be optimized so that only
ID in the browser. If the session ID is correct the user two mobile-originated short messages and one server-
must accept to start authentication by pressing an OK originated short message are required for full EAP-
button on the phone. Then EAP-SIM authentication is SIM authentication.
3. Computer SP
As Figure 8 illustrates, the different authentication
solutions can be subject to attacks in several areas,
depending on the specific scheme: Figure 8 Possible points of attack in mobile
authentication solutions
1 On the mobile phone;
2 Across the Bluetooth connection;
3 On the computer;
4 Across the Internet connection; 4.2.2 Automatic
5 Across the connection between service provider This solution, being rather similar to the previous
and authentication server; one, eliminates the human factor in the verification of
6 On and between GSM network components and the received session-id in the SMS. Instead, it intro-
connections. duces another point of possible attack; the Bluetooth
connection (2) between the mobile phone and the
The following sections will discuss some of the most user’s computer. The equality of the session-id on the
probable attacks on the different mobile authentica- mobile phone and the user’s computer is performed
tion solutions. over this Bluetooth connection. Consider a hijacker
which is able to intercept communication over this
4.2 Session-ID check with SMS connection (man-in-the-middle attack), thus being
able to receive requests over it as well as sending
4.2.1 Manual responses in return. A hijacker could then, similarly
With regard to Figure 8, this solution is realistically to in 4.2.1, establish a session towards the service in
most susceptible to an attack in the response phase, question with the user’s identity (cellular phone
i.e. when the user sends an acknowledgement back to number). An SMS will then be received by the valid
the AS through the GSM network. Consider a possible user’s mobile phone, with the appropriate session-id.
hijacker whose goal it is to steal a session from a valid However, if the hijacker is able to redirect his Java
user. If the hijacker establishes a session towards a Applet so that it contacts the valid user’s mobile
service at the same time as the valid user, using the phone, instead of his own, to access the valid session-
valid user’s identity (i.e. cellular phone number), two id, he can in theory hijack a user session, and this
messages with session-ids will be sent to the valid could happen even when the valid user is not actually
user. Being unaware of the hijack attempt, the valid in the process of establishing a session towards the
user might respond with acceptance to the invalid service at the same time. The Java Applet must also
user’s request, instead of to the valid user’s request. send the confirmation SMS through the valid user’s
mobile phone, since the AS will check that the confir-
However, such an attempt requires a hijacker to be mation comes from the appropriate cellular phone
familiar with the valid user’s identity as well as being number.
well synchronised with the valid user’s activitity (e.g.
through visual observation). The likeliness of such The Bluetooth connection between the user computer
a successful hijack attempt is therefore in practice and the mobile phone is protected by encryption
extremely low, since it also assumes that the user using a 16 digit key (as required by SAP) which is
does not properly study each of the incoming SMS used in the pairing process, so the feasibility to estab-
messages with session-ids. Another problem with the lish such an attack is very limited.
solution is that it is technically possible to spoof SMS
sender addresses, i.e. send SMS messages with the
valid user’s number. Additional security mechanisms
should be applied to prevent this.
ties, and that the authentication process can take one Shared secrets not revealed n/a √ √
single path back and forth, or exploit several channels Multi-factor authentication √ √ √
(multi-channel authentication) to complete the
Man-in-the-middle √
authentication. The paper also informally illustrates
the security properties of the solutions and provides Session hijacking √
a comparison between the solutions with respect to Authenticated data transfer √
four important criteria.
Table 1 Security properties
References
1 OATH – An industry roadmap for Open Strong 2006 [online] – URL: http://www.gemplus.com
Authentication. October 22, 2007 [online] – URL: /pss/telecom/download/jsr177_whitepaper
http://www.openauthentication.org/ _april05.pdf
2 3GPP. Technical realization of the Short Message 6 Ortiz, C E. The Wireless Messaging API, 2002.
Service. 2003. (3GPP TS 23.040) March 2007 [online] – URL:
http://developers.sun.com/techtopics/mobility
3 ETSI. GSM 11.14 Specification of the SIM Appli- /midp/articles/wma/
cation Toolkit for the Subscriber Module –
Mobile Equipment (SIM – ME) Interface. Sophia 7 Aboba, B et al. Extensible Authentication Proto-
Antipolis, 1996. col. IETF, 2004.
4 Haller, N, Metz, C, Nesser, P, Straw, M. A One- 8 Lunde, L, Wangensteen, A. Using SIM for strong
Time Password System. IETF, 1989. (RFC 2289) end-to-end application authentication. In: Tele-
matics. Trondheim, NTNU, 2006. (MSc thesis)
5 Cricco, R, Vinson, Y. Integrating the SIM Card
into J2ME as a Security Element, 2005. October 9 Bluetooth-SIG. Bluetooth specification SIM
Access Profile v.10, 2005.
Score
12 Session-ID check (manual)
6
OTP SMS-to-PC (manual)
Figure 9 Comparison of the different authentication solutions based on the mobile phone
For a presentation of Ivar Jørstad and Do Van Thanh, please turn to page 10 and 2, respectively.